FortiView – FortiOS 6.2

FortiView

FortiView from disk

Prerequisites

All FortiGates with an SSD disk.

Restrictions

  • Desktop models (for example: under 100D) with SSD only supports five minutes and one hour view. l Medium models (for example: 200D, 500D) with SSD supports up to 24 hours view.
  • Large models (for example: 1500D and above) with SSD supports up to seven days view.
  • Confirm that the setting is enabled:

config log setting set fortiview-weekly-data enable

end

Configuration

A firewall policy needs to be in place with traffic logging enabled. For best operation with FortiView, internal interface roles should be clearly defined as LAN; DMZ and internet facing or external interface roles should be defined as WAN.

To enable FortiView from Disk:

  1. Enable disk logging from the FortiGate GUI.
    1. Go to Log & Report > Log Settings > Local Log.
    2. Select the checkbox next to Disk.
  2. Enable historical FortiView from the FortiGate GUI.
    1. Go to Log & Report > Log Settings > Local Log.
    2. Select the checkbox next to Enable Historical FortiView.
  3. Click Apply.

To include sniffer traffic and local-deny traffic when FortiView from Disk:

This feature is only supported through the CLI.

config report setting

set report-source forward-traffic sniffer-traffic local-deny-traffic

end

Source View

Top Level

Sample entry:

Time l Realtime or Now entries are determined by the FortiGate’s system session list.
  l Historical or 5 minutes and later entries are determined by traffic logs, with additional information coming from UTM logs.
Graph l The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
  l Users can customize the time frame by selecting a time period within the graph.
Bubble Chart l Bubble chart shows the same information as the table, but in a different graphical manner.
Columns l Source shows the IP address (and user as well as user avatar if configured) of the source device.
  l Device shows the device information as listed in User& Device > Device Inventory. Device detection should be enabled on the applicable interfaces for best function.
  l Threat Score is the threat score of the source based on UTM features such as web filter and antivirus. It shows threat scores allowed and threat scores blocked.
  l Bytes is the accumulated bytes sent/received. In realtime, this is calculated from the session list, and in historical it is from logs.
  l Sessions is the total sessions blocked/allowed. In realtime, this is calculated from the session list, and in historical it is from logs.
  l Source is a simplified version of the first column, including only the IP address without extra information.
  l Source Interface is the interface from which the traffic originates. In realtime, this is calculated from the session list, and in historical it is from the logs.
  l More information can be shown in a tooltip while hovering over these entries.

93

l For realtime, two more columns are available, Bandwidth and Packets, both of which come from the session list.

Drilldown Level

Sample entry:

Graph l The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
  l Users can customize the time frame by selecting a time period within the graph.
Summary

Information

l Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total for the time period.
  l Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or FortiAP.
  l Can ban IP addresses, adds the source IP address into the quarantine list.
Tabs l Drilling down entries in any of these tabs (except sessions tab) will take you to the underlying traffic log in the sessions tab.
  l Applications shows a list of the applications attributed to the source IP. This can include scanned applications (using application control in a firewall policy or unscanned applications.

config log gui-display set fortiview-unscanned-apps enable end

  l Destinations shows destinations grouped by IP address/FQDN.
  l Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS, webfilter, application control, etc.
  l Web Sites contains the websites which were detected either with webfilter, or through FQDN in traffic logs.
  l Web Categories groups entries into their categories as dictated by the Web Filter Database.
  l Search Phrases shows entries of search phrases on search engines captured by a web filter UTM profile, with deep inspection enabled in firewall policy.
  l Policies groups the entries into which polices they passed through or were blocked by.
  l Sessions shows the underlying logs (historical) or sessions (realtime). Drilldowns from other tabs end up showing the underlying log located in this tab.
  l More information can be shown in a tooltip while hovering over these entries.

Troubleshooting

  • Use diagnose debug application httpsd -1 to check which filters were passed through httpsd.

For example:

[httpsd 3163 – 1546543360 info] api_store_parameter[227] — add API parameter ‘filter’: ‘{ “source”: “10.1.100.30”, “application”: “TCP\/5228”, “srcintfrole”: [ “lan”,

“dmz”, “undefined” ] }’ (type=object)

  • Use diagnose debug application miglogd 0x70000 to check what the SQL command is that is passed to the underlying SQL database.

For example:

fortiview_request_data()-898: total:31 start:1546559580 end:1546563179

_dump_sql()-799: dataset=fv.general.chart, sql:select a.timestamp1,ses_al,ses_ bk,r,s,ifnull(sc_l,0),ifnull(sc_m,0),ifnull(sc_h,0),ifnull(sc_c,0) from (select timestamp-(timestamp%60) timestamp1 ,sum(case when passthrough<>’block’ then sessioncount else 0 end) ses_al,sum(case when passthrough=’block’ then sessioncount else 0 end) ses_bk,sum(rcvdbyte) r,sum(sentbyte) s from grp_traffic_all_src where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in (‘10.1.100.11’) AND srcintfrole in (‘lan’,’dmz’,’undefined’) group by timestamp1 ) a left join (select timestamp-(timestamp%60) timestamp1 ,sum(case when threat_level=1 then crscore else 0 end) sc_l,sum(case when threat_level=2 then crscore else 0 end) sc_ m,sum(case when threat_level=3 then crscore else 0 end) sc_h,sum(case when threat_ level=4 then crscore else 0 end) sc_c from grp_threat where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in (‘10.1.100.11’) AND srcintfrole in (‘lan’,’dmz’,’undefined’) group by timestamp1 ) b on a.timestamp1 = b.timestamp1; takes 40(ms), agggr:0(ms)

  • Use exe report flush-cache and exe report recreate-db to clear up any irregularities that may be caused by upgrading or cache issues.

 

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.